8 Mai 2008 von Alexander Kornbrust.

2 weeks ago Oracle released the instant client 10.2.0.4 for Mac OS Intel. Yesterday I had the time to recompile checkpwd (checkpwd for other platforms) with the new instant client. The compilation worked flawless.

The performance of checkpwd with the native Oracle Mac client is 50% faster than the previous version for PPC.

Here are the links:

• Checkpwd 1.23  [Mac - Intel - native] - 37 MB - with Oracle instant client
• Checkpwd 1.23  [Mac - Intel - native] - 68 KB - without Oracle instant client
• Checkpwd 1.23  [Mac - Intel - native] - 68 KB - Passwords are not displayed

And here sidguess recompiled for Mac - Intel:

•  Sidguess 1.02  [Mac - Intel - native] - 16 KB -without Oracle instant client

Geschrieben in passwords, checkpwd, Security, Oracle Security | Drucken | Keine Kommentare »

23 Okt 2007 von Alexander Kornbrust.

I just uploaded checkpwd 2.00 A12. This first version of checkpwd  2.0 comes with a lot of new features making it the smartest and most convenient Oracle password checker around… (and it’s free).

2 weeks ago Laszlo released his password cracker woraauthbf becoming the fastest password cracker for Oracle (but not the smartest). Woraauthbf is working in offline mode only and does not use information from the database.

Checkpwd is connecting to the database (offline is possible too) and uses passwords and potential password candidates from the database for cracking Oracle passwords. This approach is often more successful than the normal dictionary based approach (see password of MGMT_VIEW in screenshot). Due to this technique checkpwd finds more passwords than woraauthbf and that’s the main goal of a password checking tool. Speed is not everything…

Another interesting but dangerous feature writes the found passwords into a file called foundpw.txt. The content of this file is used the next time, making the passwords dictionary more and more powerful. This feature is useful for cloned databases which are normal in company environments. Be careful with this file…

Here are some of the new features of checkpwd:

* support for Oracle 11g passwords
* support for APEX passwords (1.4-3.0.1)
* collect passwords from the database
* collect password candidates from the database
* option not to display the oracle password in command line
* crack passwords from the password history
* crack role passwords
* save checkpwd default configuration in a configuration file
* read username and password hashes from a file
* …

Feature-Requests and comments are welcome.

Geschrieben in passwords, checkpwd, Oracle Security | Drucken | 1 Kommentar »

9 Okt 2007 von Alexander Kornbrust.

Today Laszlo released his password cracker woraauthbf for Oracle, the fastest windows tool for cracking Oracle passwords (supports the new and old password hash format plus cracking the authentication attack).

On his webpage Laszlo has a small benchmark comparing the 3 leading password Oracle crackers checkpwd, orabf and woraauthbf. According to Laszlo’s benchmark checkpwd 1.22 is the slowest cracker (but only out of these 3).

I was surprised that checkpwd was so slow comparing to the benchmarks I did on my systems. The reason for this is bad result was the way how Laszlo performed the tests.

Laszlo was testing only 1 password hash. The implementation of reading of the dictionary file is slow that’s why this affects the entire result of checkpwd. In the real world you are normally testing many password hashes and not only 1 hash
That’s why I run a benchmark how long it takes to crack 40 hashes (instead of 1 hash) with the new checkpwd 2.0 which supports reading passwords hashes from a text file (to get rid of the file reading overhead). I run the tests on my 2 GHz Core2Duo.

woraauthbf 0.2 1.103.773 pw/s (Laszlo: 515114 pw/s)

checkpwd 2.0 637.263 pw/s (Laszlo: 193.168 pw/s)

orabf 0.76 400.000 pw/s (Laszlo: 311.994 pw/s)

Checkpwd 2.0 was nearly 2 times faster in this benchmark (just by cracking 40 instead of 1 password (637.263 vs 309.057)).

In checkpwd 2.0 we will focus on intelligent password cracking instead of pure power but we are still interested to improve the speed of checkpwd.
Here some new features of checkpwd 2 (released next week)

* cracking APEX passwords
* support for Oracle 11g
* support for Oracle Password History
* intelligent password collector
* many new options
* …

Geschrieben in 11g, checkpwd, Security, Oracle Security | Drucken | Keine Kommentare »

21 Sep 2007 von Alexander Kornbrust.

Oracle 11g is using a new password algorithm based on SHA-1 and finally supports case-sensitive passwords. Our partner, Recurity Labs GmbH (formerly known as S*bre Labs GmbH), did an analysis of the algorithm for us. A really great blog entry about their process of research could be found here.

Thorsten Schröder from Recurity Labs GmbH wrote a small python script as a PoC. The updated version of checkpwd 2.0 with support for Oracle 11g will be released on monday. On monday we will also release some performance numbers with a benchmark 10g vs 11g.

—

#!python

# “PoC” Oracle 11g Database password-hash cracker
# This program uses the password hash value “spare4″ from the internal
# oracle user-database and a list of passwords via stdin to calculate a new
# hash value of the plaintext password. The new generated hash value is subsequently
# compared against the hash-value from sys.user, the internal oracle user-database.

# Author: Thorsten Schroeder <ths “theAthing” recurity-labs.com>
# Berlin, 19. Sep. 2007

# TODO:
# cut passwords at length 30

import hashlib
import binascii
import sys

def main():

if( len(sys.argv[1]) != 60 ):
usage()
sys.exit(1)

try:
oraHash = sys.argv[1]
oraSalt = oraHash[40:60]
oraSha1 = oraHash[:40]
oraSha1 = oraSha1.upper()

print “[+] using salt: 0x%s” % oraSalt
print “[+] using hash: 0x%s” % oraSha1

for passwd in sys.stdin:
passwd = passwd.rstrip()
#print “[*] trying password “%s”” % passwd

s = hashlib.sha1()
s.update(passwd)
s.update(binascii.a2b_hex(oraSalt))
if( s.hexdigest().upper() == oraSha1 ):
print “[*] MATCH! -> %s” % passwd
sys.exit(0)

except Exception, e:
print “[!] Error: “, e
usage()
raise

sys.exit(0)

def usage():
print “[+] usage: ./ora11gPWCrack.py <hex-value> < wordlist.txt”
return

if __name__ == ‘__main__’:
main()

—

Geschrieben in 11g, checkpwd, Oracle Security | Drucken | Keine Kommentare »